Risk Management – fraud in the Not for Profit sector
Press release
24 March 2011
Risk Management – fraud in the Not for Profit sector
Fraud in the Not for Profit sector is costing charities money and reputation. Yet there seems to be little enthusiasm among many organisations to adopt a more formal approach to risk management assessment.
This is one of the alarming findings of the 2011 Not for Profit sector survey by chartered accountants Grant Thornton New Zealand. Since 2009 our courts have prosecuted individuals who in total have stolen more than $3 million from New Zealand charities – that’s $30,000 plus each week as a result of fraud.
Alec Flood, a partner at Grant Thornton New Zealand, said there was room for improvement in carefully assessing and monitoring where the risks in the not for profit sector lie, particularly those relating to the processing and controls surrounding financial and cash transactions.
In this, the fifth biannual Grant Thornton survey of the sector, respondents were asked for the first time to indicate how they were dealing with risk management. Only 14% of respondents thought it to be a significant issue for them.
“For a sector that relies on funding as its life blood, this was an unusually low response rate.. The topic of risk management is wide reaching and includes the operational, financial, ethical, regulatory and some would say most importantly, the reputational risk of the organisation. For many Not for Profit organisations, risk management is associated with an assessment of foreseeable risks and taking out insurance contracts and occasionally financial instruments to manage the consequences of the most damaging outcomes.”
Flood goes on to explain that risk management can be much more than this. Early identification of operational risks associated with an organisation could assist in both the daily running of the organisation and its long-term survival but risk management should also be about maximising the right opportunities.
As part of the survey, Grant Thornton asked respondents if their organisation’s operational risk profile had increased or decreased over the past 12 months. Over 40% of respondents mentioned that their operation risk profile had increased somewhat (7% said significantly so). With this increase comes the challenge for executives and board members to manage and understand the risks present and their implications.
“As risk complexity increases, so will an organisation’s spending on risk-management. Therefore it is not unexpected that almost half (44%) of our survey respondents believe that their risk-management resources will increase. Furthermore, only 1% of organisations intend to reduce their risk-management resources,” says Flood.
“Clearly, Not for Profit organisations recognise the importance of risk-management and it is important to acknowledge that risk-management is more than simply protecting existing assets; it is also about enabling performance to create future value.”
Alec Flood goes on to say that slightly more than half of survey respondents maintained a ‘risk register’ identifying potential hazards on issues.
“71% of those with a risk register only updated the register once every 6 or 12 months. The awareness of a risk does not extinguish the risk and it is evident by nature that risks continually change. Our view is that best practice is to review all risks at least bi-monthly.”
Among those who had a register, a third of the respondents thought the risk register was never circulated to all the employees. Strong risk management suggests that employees should be required to sign off acceptance annually and that significant changes throughout the year are communicated as they arise.
“Reality, however, is that most risk functions are asked to do more with the same or limited additional resources. The challenge will be for organisations to find increased efficiencies in the way their risk-management functions operate and to define the improvements that create the greatest value.”
As expected, the risk register is used to identify the risk or hazard, and for 85% of respondents with a risk register it is used to identify an action plan to minimise risk, Flood said.
In many organisations it was often left to the Chief Executive (44%) or the Board (38%) to sign off the risk register, which is more common in the smaller organisations. Only 13% of organisations with a risk register had the risk manager sign off the register.
“We did not expect to find such limited circulation of risk registers for those organisations that actually maintain one,” explained Flood. From a governance level, 52% of Boards either never see the risk register or only view it on an annual basis. This begs the question, how should Board members demonstrate they have acted responsibly and performed the role that a reasonable person would have expected of them?”
Grant Thornton’s market data shows that the 100 largest organisations of this sector, 46 of which are registered charities, now currently account for more than $2.5 billion of turnover each year - an average of $25 million each.
ENDS